tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

FIX: ensure that permissions_for_member() accounts for denied permissions.

Browse Source 
Taken from http://open.silverstripe.org/ticket/7296. PermissionTest extended to validate that permissions_for_member() includes permissions denied pre applying patch. PermissionTest passes post patch.
This commit is contained in:
Will Rossiter 2012-07-01 17:55:20 +12:00
parent 23ed5335e6
commit 9babb01a4b
3 changed files with 40 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
security/Permission.php
View File

@ -230,15 +230,16 @@ class Permission extends DataObject implements TemplateGlobalProvider {
/**
* Get all the 'any' permission codes available to the given member.
* @return array();
*
* @return array
*/
public static function permissions_for_member($memberID) {
$groupList = self::groupList($memberID);
if($groupList) {
$groupCSV = implode(", ", $groupList);
// Raw SQL for efficiency
return array_unique(DB::query("
$allowed = array_unique(DB::query("
SELECT \"Code\"
FROM \"Permission\"
WHERE \"Type\" = " . self::GRANT_PERMISSION . " AND \"GroupID\" IN ($groupCSV)
@ -252,9 +253,16 @@ class Permission extends DataObject implements TemplateGlobalProvider {
WHERE \"GroupID\" IN ($groupCSV)
")->column());
} else {
return array();
$denied = array_unique(DB::query("
SELECT \"Code\"
FROM \"Permission\"
WHERE \"Type\" = " . self::DENY_PERMISSION . " AND \"GroupID\" IN ($groupCSV)
")->column());
return array_diff($allowed, $denied);
}
return array();
}

22
tests/security/PermissionTest.php
View File

@ -1,6 +1,11 @@
<?php
/**
* @package framework
* @subpackage tests
*/
class PermissionTest extends SapphireTest {
static $fixture_file = 'PermissionTest.yml';
function testGetCodesGrouped() {
@ -34,6 +39,23 @@ class PermissionTest extends SapphireTest {
$this->assertFalse(Permission::checkMember($member, "SITETREE_VIEW_ALL"));
}
function testPermissionsForMember() {
$member = $this->objFromFixture('Member', 'access');
$permissions = Permission::permissions_for_member($member->ID);
$this->assertEquals(4, count($permissions));
$this->assertTrue(in_array('CMS_ACCESS_MyAdmin', $permissions));
$this->assertTrue(in_array('CMS_ACCESS_AssetAdmin', $permissions));
$this->assertTrue(in_array('CMS_ACCESS_SecurityAdmin', $permissions));
$this->assertTrue(in_array('EDIT_PERMISSIONS', $permissions));
$group = $this->objFromFixture("Group", "access");
Permission::deny($group->ID, "CMS_ACCESS_MyAdmin");
$permissions = Permission::permissions_for_member($member->ID);
$this->assertEquals(3, count($permissions));
$this->assertFalse(in_array('CMS_ACCESS_MyAdmin', $permissions));
}
function testRolesAndPermissionsFromParentGroupsAreInherited() {
$member = $this->objFromFixture('Member', 'globalauthor');